BANKING ORDINANCE 
Authorization of Virtual Banks 


A Guideline issued by the Monetary Authority 
under Section 16(10) 


Introduction 


l. 


This Guideline is issued under section 16(10) of the Banking Ordinance (the 
Ordinance). It sets out the principles which the Monetary Authority (MA) will take 
into account in deciding whether to authorize “virtual banks” applying to conduct 
banking business in Hong Kong. ' A “virtual bank” is defined as a bank which 
primarily delivers retail banking services through the internet or other forms of 
electronic channels instead of physical branches. 


This Guideline supersedes the previous “Guideline on Authorization of Virtual 
Banks” first issued by the MA under section 16(10) of the Ordinance on 5 May 2000 
and subsequently updated on 21 September 2012. 


General 


3. 


The MA welcomes the establishment of virtual banks in Hong Kong. The 
development of virtual banks will promote the application of financial technology and 
innovation in Hong Kong and offer a new kind of customer experience. In addition, 
virtual banks can help promote financial inclusion as they normally target the retail 
segment, including the small and medium-sized enterprises (SMEs). 


In considering whether to approve or refuse an application for authorization, the MA 
needs to be satisfied that the minimum criteria for authorization in the Seventh 
Schedule to the Ordinance are met. Reference should be made to the “Guideline on 
Minimum Criteria for Authorization” issued by the MA under section 16(10) of the 
Ordinance for details about the manner in which the MA will interpret these licensing 
criteria. 


For a company applying to set up a virtual bank (virtual bank applicant), fulfilment of 
the minimum criteria essentially means that it must have substance and cannot simply 
be a “concept”, taking advantage of the popularity of new technology. The applicant 
must have a concrete and credible business plan setting out how it intends to conduct 
its business and how it proposes to comply with the authorization criteria on an 
ongoing basis. 


Like conventional retail banks, virtual banks should play an active role in promoting 
financial inclusion in delivering their banking services. While virtual banks are not 
expected to maintain physical branches, they should endeavour to take care of the 
needs of their target customers, be they individuals or SMEs. Virtual banks should 
not impose any minimum account balance requirement or low-balance fees on their 
customers. 


In addition to technology and related risks, a virtual bank must attach equal 
importance to the management of credit, liquidity and interest rate risks. In addition, 
the MA must be satisfied that the controllers, directors and chief executives of the 
applicant are fit and proper persons. 


Ownership 


8. 


10. 


Since virtual banks will engage primarily in retail businesses covering a large segment 
of retail customers, they are expected to operate in the form of a locally-incorporated 
bank. This is in line with the established policy of requiring banks that operate 
significant retail businesses to be locally-incorporated entities. 


In addition, it is generally the MA’s policy that a person who holds more than 50% of 
the share capital of a bank incorporated in Hong Kong should be a bank or a financial 
institution in good standing and supervised by a recognised authority in Hong Kong 
or elsewhere. If a locally-incorporated virtual bank applicant is not owned by such a 
bank or financial institution, the MA expects the applicant to be held through an 
intermediate holding company incorporated in Hong Kong, with supervisory 
conditions imposed on this intermediate holding company. The supervisory 
conditions to be imposed will likely cover requirements on capital adequacy, liquidity, 
large exposures, intra-group exposures and charges over assets, group structure, 
activities undertaken, risk management, fitness and propriety of directors and senior 
management and the submission of financial and other information to the MA. 
Accordingly, both financial firms (including existing banks in Hong Kong) and non- 
financial firms (including technology companies) may apply to own and operate a 
virtual bank in Hong Kong. 


The ownership of virtual banks is important because they are usually new ventures 
which can be subject to higher risks in the initial years of operation. It is therefore 
essential that the parent companies of a virtual bank are committed to supporting the 
bank and are capable of providing strong financial, technology and other support 
when necessary. 


Ongoing supervision 


11. 


Virtual banks will be subject to the same set of supervisory requirements applicable to 
conventional banks. That said, some of these requirements will be adapted to suit the 
business models of virtual banks under a risk-based and technology-neutral approach. 
For example, although virtual banks will be required to satisfy the same corporate 
governance standards as conventional banks, given their technology-driven business 
models, the board of directors and senior management of virtual banks should have 
the requisite knowledge and experience to enable them to discharge their functions 
effectively. 


Physical presence 


12. 


A virtual bank applicant, if authorized, must maintain a physical presence in Hong 
Kong, which will be its principal place of business here. This is necessary to provide 
an office in Hong Kong for interfacing with the MA, as well as with customers to deal 
with their enquiries or complaints. 


13. 


Virtual banks are not expected to establish local branches under section 44 of the 
Ordinance. They may nevertheless maintain one or more local offices provided that 
the notification requirement under section 45A of the Ordinance is complied with. To 
facilitate examination and inspection by the MA pursuant to section 55 of the 
Ordinance, virtual banks must keep a full set of their books, accounts and records of 
transactions which are accessible to the MA. 


Technology risk 


14. 


15. 


Technology related risk, especially information security, system resilience and 
business continuity management, is of vital importance to a virtual bank. Security 
breaches and unauthorized tampering with the systems of the bank could result in 
financial loss as well as loss of reputation. The general principle is that the security 
and technology related controls in place should be “fit for purpose”, i.e. appropriate to 
the type of transactions which the virtual bank intends to carry out. 


In this connection, a virtual bank applicant will be required to engage a qualified and 
independent expert to perform an independent assessment of the adequacy of its 
planned IT governance and systems. A copy of this assessment report should be 
provided to the MA as part of the documents submitted on application. A more 
detailed independent assessment of the actual design, implementation and 
effectiveness of its computer hardware, systems, security, procedures and controls 
should be undertaken and the report of the assessment should be provided to the MA 
before the virtual bank commences operation. The bank should also establish 
procedures for regular review of its security and technology related arrangements to 
ensure that such arrangements remain appropriate having regard to the continuing 
developments in technology. 


Risk management 


16. 


17. 


Like conventional banks, a virtual bank applicant must understand the types of risk to 
which it is exposed and put in place appropriate systems to identify, measure, monitor 
and control these risks. It should be aware that certain types of risk such as liquidity, 
operational (including protection of customer data) and reputation risk may be 
accentuated in the case of virtual banks because of their nature of operation. 


At a minimum, the applicant must go through the eight basic types of risk identified in 
the risk-based supervisory framework of the MA (i.e. credit, interest rate, market, 
liquidity, operational, reputation, legal and strategic risk), analyse to what extent it 
will be subject to these risks as a virtual bank and establish appropriate controls to 
manage these risks. 


Business plan 


18. 


A virtual bank must be able to present a credible and viable business plan which 
strikes an appropriate balance between the desire to build market share and the need 
to earn a reasonable return on assets and equity. 


19. 


While the MA will not interfere with the commercial decisions of individual 
institutions, it would be a concern if a virtual bank planned to aggressively build 
market share at the expense of recording substantial losses in the initial years of 
operation without any credible plan for profitability in the medium term. Predatory 
tactics could be detrimental to the stability of the banking sector and could undermine 
the confidence of the general public in the bank itself. In any case, a virtual bank 
should not allow rapid business expansion to put undue strains on its systems and risk 
management capability. 


Exit plan 


20. 


As virtual banking is a new business model in Hong Kong, the MA will require a 
virtual bank applicant to provide an exit plan in case its business model turns out to be 
unsuccessful. The purpose of the exit plan is to ensure that a virtual bank, should it 
become necessary, can unwind its business operations, in an orderly manner without 
causing disruption to the customers and the financial system. In general, an exit plan 
should cover matters including the circumstances under which the plan will be 
triggered, the authority to trigger the plan, the channels to be used to repay depositors 
and the source of funding for making the payments. 


Customer protection 


21. 


22. 


A virtual bank should treat its customers fairly and adhere to the Treat Customers 
Fairly Charter. It should observe the standards contained in the Code of Banking 
Practice issued by the Hong Kong Association of Banks and the DTC Association. It 
must set out clearly in its terms and conditions what are the respective rights and 
obligations between the bank and its customers. Such terms and conditions should be 
fair and balanced to both the bank and its customers. Customers must be made aware 
of their responsibilities to maintain security in the use of virtual banking services and 
their potential liability if they do not. In particular, the terms and conditions should 
highlight how any losses from security breaches, systems failure or human error will 
be apportioned between the bank and its customers. 


In this regard, the MA’s view is that unless a customer acts fraudulently or with gross 
negligence such as failing to properly safeguard his device(s) or secret code(s) for 
accessing the e-banking service, he should not be responsible for any direct loss 
suffered by him as a result of unauthorized transactions conducted through his 
account. 


Outsourcing 


23. 


The MA does not object in principle to outsourcing of computer or business 
operations of a virtual bank to a third party service provider, which may or may not be 
part of the group owning the virtual bank. Virtual banks should discuss their plans for 
material outsourcing with the MA in advance. They should demonstrate that the 
principles in the SPM module on “Outsourcing” (SA-2) will be complied with. In 
particular, the MA must be satisfied that the operations outsourced remain subject to 
adequate security controls, that confidentiality and integrity of customer information 
will not be compromised and that the requirements under the Personal Data (Privacy) 
Ordinance and common law customer confidentiality are complied with. The MA 


should have the right to carry out inspections of the security arrangements and other 
controls in place in the service provider or to obtain reports from a relevant 
supervisory authority, external auditors or other experts. The MA must also be 
satisfied that his powers and duties under the Ordinance (in particular, section 52 
relating to the power of control over an institution) will not be hindered by the 
outsourcing arrangements. 


Capital requirement 


24. Virtual banks must maintain adequate capital commensurate with the nature of their 
operations and the banking risks they are undertaking. 





' This guideline does not address the use of overseas websites by overseas entities to solicit deposits from 
members of the public in Hong Kong. Provided that the deposits were placed overseas, the entity concerned 
would not be taking deposits in Hong Kong and would not be required to be authorized under the Ordinance. 
However, section 92 of the Ordinance makes it an offence for any person to issue any advertisements, 
invitations or documents (advertising materials) to members of the public in Hong Kong to make a deposit, even 
if it is made outside Hong Kong, unless the disclosure requirements in the Fifth Schedule to the Ordinance are 
complied with. The factors that the MA will take into account in considering whether advertising material for 
deposits issued over the internet or other technological means is targeted at members of the public in Hong 
Kong are set out in the Supervisory Policy Manual (SPM) module TM-E-2 “Regulation of advertising material 
for deposits issued over the internet”. 


